Port Forwarding Quick Reference

Your router is looking out for you. It does far more than connect devices in your house to the internet so you can browse, send email, or watch movies. It also keeps the bad guys out by blocking all inbound traffic that isn’t in response to something you did, such as prompt for a web page. This doesn’t mean that the web page you received can’t infect you with a virus after you let in through the door. It just means that nobody can send you an incoming signal without you first requesting it or leaving a door open for it to enter.

Geek alert: This is called stateful packet inspection (SPI). In simple terms, it means your router keeps track of what you sent out and will allow in either a response to your request or what you specifically permitted. Everything else gets blocked at the door. It’s also referred to as dynamic packet filtering.

SPI is a part of the firewall properties of your router.

Routers communicate with your network and the world at large using ports. A port is like a channel on your TV, only your router has over 65000 ports available to use while your TV has, at best, a few hundred. Think of a port as something like ABC is on channel 7 in Chicago.

The internet also uses two basic types of communication; TCP and UDP. Most traffic uses TCP, which, by definition, is considered reliable. The term is not being used as an evaluation. TCP is reliable by design. TCP is designed to make sure that you get what was sent to you correctly. As a result, the transfer includes a lot of control information so your computer can make sure it received everything it was sent. UDP is unreliable by design. With UDP, you just get a message. Maybe it’s correct and maybe not. The upside is UDP is fast. Most internet traffic uses TCP.

The people who invented the internet decided that certain activities should always occur on certain ports. They call them well known ports, and are numbered as ports 0 through 1023. HTTP, or basic web pages, travel using TCP port 80. HTTPS uses TCP port 443. Wikipedia provides a list of well known ports.

Some applications on your computer take advantage of a plug and play feature on your router which configures it to be more agreeable to port traffic specific to that application.

Some applications you run require you to open manually ports on your router so inbound traffic can get past the firewall and into your computer. For example, if you decide to set up a web server, unsolicited traffic on port 80 will want in. You’ll have to open port 80 on your router. As a safety feature, your router needs you to explicitly state which computer on your network will receive the inbound traffic by entering the IP address it should be directed toward. That’s why it’s called port forwarding, and not port opening. You tell your router which ports to open, which computer to send the traffic to, and whether or not to keep it on the same port, or redirect it to a different port.

All routers do this in the same general way, but all manufacturers use different screens to accomplish it. Some manufacturers use different terminology. These are representative examples.

Basic Port Forwarding Examples

This is a port forwarding screen from an Asus router.

###

This is a port forwarding screen from a router loaded with DD-WRT, an open source operating system you can load on certain routers to replace the firmware that was originally installed on it. DD-WRT can provide capabilities that were not available on your router by default. In my case, I took an inexpensive refurbished dual frequency router and used DD-WRT to convert it into a 5GHz client bridge for media devices.

____________________

Set Up DDNS On Your Router

DDNS permits you to use the IP address you received from your ISP and associate it with your own URL. The DDNS service keeps on top of any changes your ISP may make to the IP address they assigned you. This allows you to use a URL to contact a home server for whatever purpose you require, assuming your ISP permits it. In general, you have to regularly run a program on your server that notifies the DDNS server of your IP address at that moment. Many modern routers have this feature built in and support selected DDNS providers.

This is a DDNS setup screen on an Asus router.

###

Here’s one from DD-WRT.

____________________

Bad Idea Alert: Letting All Inbound Traffic In For One Computer

Many network diagrams have a picture of a cloud or something similar to represent the internet. Traffic frequently goes past a firewall (often depicted as a little brick wall), into a computer called the DMZ, and, finally, into your network. As it applies to your router, a DMZ is one IP address on your network that is totally exposed to incoming internet traffic. The theory is that the DMZ should be hardened in a custom manner so that your network design can have flexibility, but remain safe. In practice, a home router with one address fully exposed to the internet is like removing the guard from the front gate, then leaving the gate wide open.

But, if you want to have your own DMZ, here’s how.

An Asus router opens a DMZ on this screen.

###

DD-WRT opens one up on this screen.

____________________

I don’t mean to scare you but …….

My home network is scanned from all over the world, 100s of times a day. Nonstop. So is yours. I see their daily attempts on my various router logs. I have no idea what they want, but I personally assume they are up to no good. Some claim to be ‘security researchers’. I have no idea what that means. To best protect yourself, keep as few ports open towards the internet as possible. Protect the ones that are not intended for public access with encryption certificates, passwords, and user ids known only to you. If someone Googles your IP address, the search results might point directly to a door a device of yours created on your home network.Google is amazing in how it finds places to go on the internet. (This also implies someone with no bad intent can accidentally attempt entry to an exposed device if Google finds it and it’s not protected properly.) SPI and NAT can’t protect you if a port is left open. You need to take the initiative from there. Keep all firmware updated as directed by the people you got it from.